Currently, Firefox will always fall back to the subject common name for
certificates issued from imported roots if necessary - the about:config
preference doesn't affect this.
Since Chrome removed support for this fallback entirely, though, we can
do so as well. I filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1691122 to do this work.
Thank you,
Dana
On 2/5/21 02:54, Roest, Lennert via Enterprise wrote:
In our enterprise, SSL certificates with a valid subjectAltName field are
required for all webservers, and we want to be able to show (test/prod) users a
warning when this is not the case.
However, with current Firefox ESR78 this does not seem possible, it seems to
always ignore a missing subjectAltName (and fallback to CN) for websites signed
with an internal/imported root.
The default setting security.pki.name_matching_mode = 3 (only use name
information from the subject alternative name extension) does not work for
imported roots.
It seems this was introduced a few years ago, in order not to break too many
internal websites at that time:
https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
Would it be possible on ESR78 to show this warning also for sites signed with
imported roots?
(either with a group policy option, or by default like Edge/Chrome)
For reference, Edge/Chrome do show a warning for all https sites without
subjectAltName (NET:ERR_CERT_COMMON_NAME_INVALID)
Chrome removed the CN fallback by default since v58:
https://developers.google.com/web/updates/2017/03/chrome-58-deprecations#remove_support_for_commonname_matching_in_certificates
It had an optional Enterprise policy to enable CN fallback for local roots,
which was deprecated per v65:
https://cloud.google.com/docs/chrome-enterprise/policies/?policy=EnableCommonNameFallbackForLocalAnchors
Regards,
Lennert Roest
........................................................................
Desktop Hosting 2 Acceptatie
Shared Service Center ICT
________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de
geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are
not
the addressee or if this message was sent to you by mistake, you are requested
to inform the sender and delete the message. The State accepts no liability for
damage of any kind resulting from the risks inherent in the electronic
transmission
of messages.
Ministerie van Justitie en Veiligheid.
_______________________________________________
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise
or send an email to enterprise-requ...@mozilla.org with a subject of
"unsubscribe"
_______________________________________________
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise
or send an email to enterprise-requ...@mozilla.org with a subject of
"unsubscribe"